POSTER: Finding vulnerabilities in P4 programs with assertion-based verification

Abstract

Current trends in SDN extend network programmability to the data plane through the use of programming languages such as P4. In this context, the chance of introducing errors and consequently software vulnerabilities in the network increases significantly. Existing data plane verification mechanisms are unable to model P4 programs or present severe restrictions in the set of modeled properties. To overcome these limitations and make programmable data planes more secure, we present a P4 program verification technique based on assertion checking and symbolic execution. First, P4 programs are annotated with assertions expressing general correctness and security properties. Then, the annotated programs are transformed into C code and all their possible paths are symbolically executed. Results show that it is possible to prove properties in just a few seconds using the proposed technique. Moreover, we were able to uncover two potential vulnerabilities in a large scale P4 production application.

Publication
Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (ACM CCS)
Avatar
Lucas Freire
UFRGS MSc 2016-2018, now at Banrisul Bank